How to write a query to find event count of source ip greater than 10000 in 30mins?

Comments

1 comment

  • Avatar
    Michael Sage

    Hi Allwin,

    How's this going? Can you share a sample log file or some of the output? Using Apache logs with source IP and destination URL as an example, are you looking for something like this?

    _sourceCategory=Labs/Apache/Access
    | parse "] \"GET * HTTP" as url
    | parse "* - - " as src
    | count by src, url | where _count > 10000

    Michael 

Please sign in to leave a comment.